MID server OCSP requirement details


Details

The Online Certificate Status Protocol (OCSP) is the protocol used to determine the revocation status of SSL/TLS certificates. When certificates are exchanged and validated, the MID Server needs to determine if the certificate has been revoked and shouldn't be trusted.

Below is Q&A for the OCSP requirement. 

1. Why is ServiceNow using OCSP, and what options does the customer have?

ServiceNow is improving the security of the MID Server's communications by validating the certificates of places it tries to communicate with.

2. Can you disable the OSCP feature?

Yes, you can disable it with the following steps, but only as a temporary workaround to provide immediate relief. Use these steps during an outage situation, or to prepare to implement a proper security solution in the firewall. The workaround needs to be reverted after the firewall is correctly set up. See section 8 for more information about reverting the steps.


a) Navigate to MID Server -> Properties. Find "com.glide.communications.httpclient.verify_revoked_certificate" and set value to false
b) Navigate to MID Server -> Properties. Find "mid.security.validation.endpoints" and clear the value so it is empty.

c) On MID server host, open the /agent/work/remote.properties file, remove *.servicenow.com from the line: mid.security.validation.endpoints

d) Restart the MID Server.

If that does not work because the properties are not synched from the instance to the MID Server, then you may have to edit the properties file in the MID Server installation folders directly. The filename to edit is agent\properties\glide.properties

For more information on these questions, see the Orlando MID Server Release Notes.

3. Do you have to use ocsp.entrust.net? Does it need to be added to the 'mid.security.validation.endpoints' property?

The ocsp.entrust.net URL is actually coming from the certificate on the target host itself. So for ServiceNow instances/targets, the check will use ocsp.entrust.net. They do NOT need to add ocsp.entrust.net to the mid.security.validation.endpoints property.

4. What is the purpose of the new MID Server property 'mid.security.validation.endpoints', and how does it work?

The property acts as an "override" for any other properties, such as "com.glide.communications.httpclient.verify_revoked_certificate" when we are trying to contact a target in its listed domains. For example, the default value of the property is *.service-now.com. Whenever your MID is trying to contact the instance, it will see that its target fits *.service-now.com and will do the certificate validation checks, regardless of other properties telling it not to.

The result of this is even if you, in general, tell the MID to not do revocation check in general with "com.glide.communications.httpclient.verify_revoked_certificate", you can still allow for special cases where you want to guarantee the checks still run

5. Why is the default setting for the 'mid.security.validation.endpoints' property '*.servicenow.com'?

As mentioned above, this just guarantees that the validation checks will run on any domain that fits *.service-now.com. This could include your instance, the upgrade server for the MID, etc. Any target that fits the *.service-now.com format. (* is a wildcard that allows for anything to come before the .service-now.com.)

6. ServiceNow instances all point to *.service-now.com', do we need to add that as well?

There is no need to modify the property to add your instances to it. As mentioned above, the * acts as a wildcard, which would allow it to match things like <instance-name>.service-now.com, install.service-now.com, etc.

7. What really happens if the 'mid.security.validation.endpoints' property is left blank?

If you clear out the property it means that the MID Server will always respect the properties like "com.glide.communications.httpclient.verify_revoked_certificate" when determining if it should run the certificate verification check. It won't cause anything to break, but it will allow you to entirely disable the checks. This may be necessary if you are unable to give the MID access to "ocsp.entrust.net".

8. ***IMPORTANT****

After resolving the issues mentioned in section 2, it is recommended to change the value of the 'mid.security.validation.endpoints' property back to '*.servicenow.com'. If you leave either the 'mid.security.validation.endpoints' property removed or value empty, the MID Server will not validate any TLS connections and the MID Server will be vulnerable. If you see a warning message in MID issue table, it means the 'mid.security.validation.endpoints' is not properly configured.

Additional Information

For additional troubleshooting information, see MID Server can fail to install or upgrade to Orlando due to new external connectivity requirement to ocsp.entrust.net for OCSP certification revocation verification check [KB0813636].